End to End Network Security
End-to-End Network Security
Defense-in-Depth Omar SantosCisco Press
Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA
ii End-to-End Network Security Defense-in-Depth Omar Santos Copyright© 2008 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing August 2007 Library of Congress Cataloging-in-Publication Data: Santos, Omar. End-to-end network security : defense-in-depth / Omar Santos. p. cm.ISBN 978-1-58705-332-0 (pbk.) 1. Computer networks—Security measures. I. Title. TK5105.59.S313 2007 005.8—dc22 2007028287
ISBN-10: 1-58705-332-2
Warning and Disclaimer This book is designed to provide information about end-to-end network security. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.
The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems.
Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately
capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a term in
this book should not be regarded as affecting the validity of any trademark or service mark.iii Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted
with care and precision, undergoing rigorous development that involves the unique expertise of members from the
professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we couldimprove the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at
feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance.Corporate and Government Sales
The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales
which may include electronic versions and/or custom covers and content particular to your business, training goals,
marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside the United States, please contact: International Sales international@pearsoned.com Publisher Paul BogerAssociate Publisher Dave Dusthimer Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Executive Editor Brett Bartow Managing Editor Patrick Kanouse Development Editor Betsey Henkels Project Editor Jennifer Gallant Copy Editor Karen A. Gill Technical Editors Pavan Reddy John Stuppi Editorial Assistant Vanessa Evans Book and Cover Designer Louisa Adair Composition ICC Macmillan Inc. Indexer Ken Johnson Proofreader Anne Poynter
iv About the Author Omar Santos is a senior network security engineer and Incident Manager within the Product Security
Incident Response Team (PSIRT) at Cisco. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government, including the United States Marine Corps (USMC) and the U.S. Department of Defense (DoD). He is also the author of many Cisco online technical documents and configuration guidelines. Before his current role, Omar was a technical leader within the World Wide Security Practice and Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations. He is an active member of the InfraGard organization. InfraGard is a cooperative undertaking that involves the Federal Bureau of Investigation and an association of businesses, academic institutions, state and local law enforcement agencies, and other participants. InfraGard is dedicated to increasing the security of the critical infrastructures of the United States of America. Omar has also delivered numerous technical presentations to Cisco customers and partners, as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of the Cisco Press books: Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting, and Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance.
v About the Technical Reviewers
Pavan Reddy, CCIE No. 4575, currently works as a consulting systems engineer for Cisco specializing
in network security. Pavan has been collaborating with customers and partners on the design and implementation of large-scale enterprise and service provider security architectures for nearly ten years. Before joining Cisco, Pavan worked as a network security engineer in the construction and financial industries. Pavan also holds a bachelor of science degree in computer engineering from Carnegie Mellon.
John Stuppi, CCIE No. 11154, is a network consulting engineer for Cisco. John is responsible for
creating, testing, and communicating effective techniques using Cisco product capabilities to provide identification and mitigation options to Cisco customers who are facing current or expected security threats. John also advises Cisco customers on incident readiness and response methodologies and assists them in DoS and worm mitigation and preparedness. John is a CCIE and a CISSP, and he holds an Information Systems Security (INFOSEC) Professional Certification. In addition, John has a BSEE from Lehigh University and an MBA from Rutgers University. John lives in Ocean Township, New Jersey with his wife Diane and his two wonderful children, Thomas and Allison.
vi Dedications
I would like to dedicate this book to my lovely wife, Jeannette, and my two beautiful children, Hannah and Derek, who have inspired and supported me throughout the development of this book. I also dedicate this book to my parents, Jose and Generosa. Without their knowledge, wisdom, and guidance, I would not have the goals that I strive to achieve today.
—Omar Acknowledgments
I would like to acknowledge the technical editors, Pavan Reddy and John Stuppi. Their superb technical skills and input are what make this manuscript a success. Pavan has been a technical leader and advisor within Cisco for several years. He has led many projects for Fortune 500 enterprises and service providers. He was one of the key developers of the Cisco Operational Process Model (COPM). John has also led many implementations and designs for Cisco customers. His experience in worldwide threat intelligence provides a unique breadth of knowledge and value added.
Many thanks to my management team, who have always supported me during the development of this book. I am extremely thankful to the Cisco Press team, especially Brett Bartow, Andrew Cupp, Betsey Henkels, and Jennifer Gallant for their patience and continuous support. Finally, I would like to acknowledge the great minds within the Cisco Security Technology Group (STG), Advanced Services, and Technical Support organizations.
vii
viii Contents at a Glance
Foreword xix Introduction xx
Part I Introduction to Network Security Solutions
3 Chapter 1 Overview of Network Security Technologies
5 Part II Security Lifecycle: Frameworks and Methodologies
41 Chapter 2 Preparation Phase
43 Chapter 3 Identifying and Classifying Security Threats
99 Chapter 4 Traceback 141
Chapter 5 Reacting to Security Incidents 153 Chapter 6 Postmortem and Improvement 167 Chapter 7 Proactive Security Framework 177 Part III Defense-In-Depth Applied 209 Chapter 8 Wireless Security 211 Chapter 9 IP Telephony Security 261 Chapter 10 Data Center Security 297 Chapter 11 IPv6 Security 329 Part IV Case Studies 339 Chapter 12 Case Studies 341 Index
422
ix Contents
Network Firewalls
6 Network Address Translation (NAT)
7 Stateful Firewalls
9 Deep Packet Inspection
10 Demilitarized Zones
10 Personal Firewalls
11
Technical Overview of IPsec
14 Phase 1
14 Phase 2
16 SSL VPNs
18
Pattern Matching
20 Protocol Analysis
21 Heuristic-Based Analysis
21 Anomaly-Based Analysis
21
RADIUS
23 TACACS+
25 Identity Management Concepts
26
NAC Appliance
27 NAC Framework
33
x
Threat Modeling
44 Penetration Testing
46
Common Vulnerability Scoring System
50 Base Metrics
51 Temporal Metrics
51 Environmental Metrics
52
Who Should Be Part of the CSIRT?
53 Incident Response Collaborative Teams
54 Tasks and Responsibilities of the CSIRT
54
Strong Device Access Control
59 SSH Versus Telnet
59 Local Password Management
61 Configuring Authentication Banners
62 Interactive Access Control
62 Role-Based Command-Line Interface (CLI) Access in Cisco IOS
64 Controlling SNMP Access
66 Securing Routing Protocols
66 Configuring Static Routing Peers
68 Authentication
68 Route Filtering
69 Time-to-Live (TTL) Security Check
70 Disabling Unnecessary Services on Network Components
70 Cisco Discovery Protocol (CDP)
71 Finger
72 Directed Broadcast
72 Maintenance Operations Protocol (MOP)
72 BOOTP Server
73 ICMP Redirects
73 IP Source Routing
73 Packet Assembler/Disassembler (PAD)
73 Proxy Address Resolution Protocol (ARP)
73
xi
IDENT
74 TCP and User Datagram Protocol (UDP) Small Servers
74 IP Version 6 (IPv6)
75 Locking Down Unused Ports on Network Access Devices
75 Control Resource Exhaustion
75 Resource Thresholding Notification
76 CPU Protection
77 Receive Access Control Lists (rACLs)
78 Control Plane Policing (CoPP)
80 Scheduler Allocate/Interval
81 Policy Enforcement
81 Infrastructure Protection Access Control Lists (iACLs)
82 Unicast Reverse Path Forwarding (Unicast RPF)
83 Automated Security Tools Within Cisco IOS
84 Cisco IOS AutoSecure
84 Cisco Secure Device Manager (SDM)
88 Telemetry
89
Patch Management
90 Cisco Security Agent (CSA)
92
Phased Approach
94 Administrative Tasks
96 Staff and Support
96
NetFlow 108 Enabling NetFlow 111 Collecting NetFlow Statistics from the CLI 112
SYSLOG 115 Enabling Logging (SYSLOG) on Cisco IOS Routers and Switches 115 Enabling Logging Cisco Catalyst Switches Running CATOS 117 Enabling Logging on Cisco ASA and Cisco PIX Security Appliances 117
SNMP 118 Enabling SNMP on Cisco IOS Devices 119 Enabling SNMP on Cisco ASA and Cisco PIX Security Appliances 121
Cisco Security Monitoring, Analysis and Response System (CS-MARS) 121
xii
Cisco Network Analysis Module (NAM) 125 Open Source Monitoring Tools 126 Cisco Traffic Anomaly Detectors and Cisco Guard DDoS Mitigation
Appliances 127
The Importance of Signatures Updates 131 The Importance of Tuning 133 Anomaly Detection Within Cisco IPS Devices 137
xiii
AAA 183 Cisco Guard Active Verification 185 DHCP Snooping 186
IP Source Guard 187 Digital Certificates and PKI 188
IKE 188 Network Admission Control (NAC) 188 Routing Protocol Authentication 189 Strict Unicast RPF 189
Anomaly Detection 190
IDS/IPS 190 Cisco Network Analysis Module (NAM) 191 Layer 2 and Layer 3 Information (CDP, Routing Tables, CEF Tables) 191
CS-MARS 193 Arbor Peakflow SP and Peakflow X 193 Cisco Security Agent Management Console (CSA-MC) Basic
Event Correlation 193
Cisco Security Manager 195 Configuration Logger and Configuration Rollback 195 Embedded Device Managers 195 Cisco IOS XR XML Interface 196 SNMP and RMON 196 Syslog 196
Cisco IOS Role-Based CLI Access (CLI Views) 197 Anomaly Detection Zones 198 Network Device Virtualization 198 Segmentation with VLANs 199 Segmentation with Firewalls 200 Segmentation with VRF/VRF-Lite 200
xiv
WEP 216 WPA 218
802.1x on Wireless Networks 219 EAP with MD5 221 Cisco LEAP 222 EAP-TLS 223 PEAP 223 EAP Tunneled TLS Authentication Protocol (EAP-TTLS) 224 EAP-FAST 224 EAP-GTC 225 Configuring 802.1x with EAP-FAST in the Cisco Unified Wireless Solution 226 Configuring the WLC 226 Configuring the Cisco Secure ACS Server for 802.1x and EAP-FAST 229 Configuring the CSSC 233
Configuring IDS/IPS Sensors in the WLC 241 Uploading and Configuring IDS/IPS Signatures 242
NAC Appliance Configuration 246 WLC Configuration 255
Chapter 9 Protecting the IP Telephony Infrastructure 262 Access Layer 266 Distribution Layer 273 Core 275 Securing the IP Telephony Applications 275 Protecting Cisco Unified CallManager 276 Protecting Cisco Unified Communications Manager Express (CME) 277 Protecting Cisco Unity 281
xv
Protecting Cisco Unity Express 287 Protecting Cisco Personal Assistant 289
Hardening the Cisco Personal Assistant Operating Environment 289 Cisco Personal Assistant Server Security Policies 291
Filtering Access Control Lists (ACL) 331 ICMP Filtering 332 Extension Headers in IPv6 332
xvi
Creating a New Computer Security Incident Response Team (CSIRT) 403 Creating New Security Policies 404 Physical Security Policy 404 Perimeter Security Policy 404 Device Security Policy 405 Remote Access VPN Policy 405 Patch Management Policy 406 Change Management Policy 406 Internet Usage Policy 406
xvii
Deploying IPsec Remote Access VPN 406 Configuring IPsec Remote Access VPN 408 Configuring Load-Balancing 415
Reacting to a Security Incident 418 Identifying, Classifying, and Tracking the Security Incident or Attack 419 Reacting to the Incident 419 Postmortem 419
xviii Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventions used in the
IOS Command Reference . The Command Reference describes these conventions as follows: Boldface indicates commands and keywords that are entered literally as shown. In actual •
configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command).
- Italics indicate arguments for which you supply actual values.
Vertical bars (|) separate alternative, mutually exclusive elements. • Square brackets [ ] indicate optional elements. • Braces { } indicate a required choice. • Braces within brackets [{ }] indicate a required choice within an optional element. •
xix
Defense-in-Depth is a phrase that is often used and equally misunderstood. This book gives an excellent
overview of what this really means and, more importantly, how to apply certain principles to develop appropriate risk mitigation strategies. After you have assimilated the content of this book, you will have a solid understanding of several aspects of security. The author begins with an overview of the basics then provides comprehensive methodologies for preparing for and reacting to security incidents and, finally, illustrates a unique framework for managing through the lifecycle of security known as SAVE. Also provided are various Defense-in-Depth strategies covering the most current advanced technologies utilized for protecting information assets today. Equally as important are the case studies which provide the reader with real-world examples of how to put these tools, processes, methodologies, and frameworks to use. Many reference documents and lengthy periodicals delve into the world of information security. However, few can capture the essence of this discipline and also provide a high-level, demystified understanding of information security and the technical underpinning required to achieve success. Within these pages, you will find many practical tools both process related and technology related that you can draw on to improve your risk mitigation strategies. The most effective security programs combine attention to both deeply technical issues and business process issues. The author clearly demonstrates that he grasps the inherent challenges posed by combining these disparate approaches, and he conveys them in an approachable style. You will find yourself not only gaining valuable insight from End-to-End Network Security, but also returning to its pages to ensure you are on target in your endeavors. We have seen dramatic increases in the type and nature of threats to our information assets. The challenge we face is to fully understand the compensating controls and techniques that can be deployed to offset these threats and do so in a way that is consistent with the business processes and growth strategies of the businesses and government we are trying to protect. This book strikes that delicate balance, and you will find it an invaluable element of your protection initiatives far into the future.
Bruce Murphy Vice President World Wide Security Practice Cisco
xx
The network security lifecycle requires specialized support and a commitment to best practice standards. In this book, you will learn best practices that draw upon disciplined processes, frameworks, expert advice, and proven technologies that will help you protect your infrastructure and organization. You will learn end-to-end security best practices, from strategy development to operations and optimization.
This book covers the six-step methodology of incident readiness and response. You must take a proactive approach to security; an approach that starts with assessment to identify and categorize your risks. In addition, you need to understand the network security technical details in relation to security policy and incident response procedures. This book covers numerous best practices that will help you orchestrate a long-term strategy for your organization.
Who Should Read This Book?
The answer to this question is simple—everyone. The principles and best practices covered in this book apply to every organization. Anyone interested in network security should become familiar with the information included in this book—from network and security engineers to management and executives. This book covers not only numerous technical topics and scenarios, but also covers a wide range of operational best practices in addition to risk analysis and threat modeling.
xxi How This Book Is Organized
Part I of this book includes Chapter 1 which covers an introduction to security technologies and products. In Part II, which encompasses Chapters 2 through 7, you will learn the six-step methodology of incident readiness and response. Part III includes Chapters 8 through 11 which cover strategies used to protect wireless networks, IP telephony implementations, data centers, and IPv6 networks. Real-life case studies are covered in Part IV which contains Chapter 12. The following is a chapter-by-chapter summary of the contents of the book.
Part I, “Introduction to Network Security Solutions,” includes: Chapter 1, “Overview of Network Security Technologies.” This chapter covers an introduc- •
tion to security technologies and products. It starts with an overview of how to place firewalls to provide perimeter security and network segmentation while enforcing configured policies. It then dives into virtual private network (VPN) technologies and protocols—including
IP Security (IPsec) and Secure Socket Layer (SSL). In addition, this chapter covers different technologies such as intrusion detection systems (IDS), intrusion protection systems (IPS), anomaly detection systems, and network telemetry features that can help you identify and classify security threats. Authentication, authorization, and accounting (AAA) offers different solutions that provide access control to network resources. This chapter introduces AAA and identity management concepts. Furthermore, it includes an overview of the Cisco Network Admission Control solutions that are used to enforce security policy compliance on all devices that are designed to access network computing resources, thereby limiting damage from emerging security threats. Routing techniques can be used as security tools. This chapter provides examples of different routing techniques, such as Remotely Triggered Black Hole (RTBH) routing and sinkholes that are used to increase the security of the network and to react to new threats.
Part II, “Security Lifecycle: Frameworks and Methodologies,” includes: Chapter 2, “Preparation Phase.” This chapter covers numerous best practices on how to •
better prepare your network infrastructure, security policies, procedures, and organization as a whole against security threats and vulnerabilities. This is one of the most important chapters of this book. It starts by teaching you risk analysis and threat modeling techniques. You will also learn guidelines on how to create strong security policies and how to create Computer Security Incident Response Teams (CSIRT). Topics such as security intelligence and social engineering are also covered in this chapter. You will learn numerous tips on how to increase the security of your network infrastructure devices using several best practices to protect the control, management, and data plane. Guidelines on how to better secure end-user systems and servers are also covered in this chapter.
xxii Chapter 3, “Identifying and Classifying Security Threats.” This chapter covers the next •
two phases of the six-step methodology for incident response—identification and classification of security threats. You will learn how important it is to have complete network visibility and control to successfully identify and classify security threats in a timely fashion. This chapter covers different technologies and tools such as Cisco NetFlow, SYSLOG, SNMP, and others which can be used to obtain information from your network and detect anomalies that might be malicious activity. You will also learn how to use event correlation tools such as CS-MARS and open source monitoring systems in conjunction with NetFlow to allow you to gain better visibility into your network. In addition, this chapter covers details about anomaly detection,
IDS, and IPS solutions by providing tips on IPS/IDS tuning and the new anomaly detection features supported by Cisco IPS.
Chapter 4, “Traceback.” Tracing back the source of attacks, infected hosts in worm •
outbreaks, or any other security incident can be overwhelming for many network administrators and security professionals. Attackers can use hundreds or thousands of botnets or zombies that can greatly complicate traceback and hinder mitigation once traceback succeeds. This chapter covers several techniques that can help you successfully trace back the sources of such threats. It covers techniques used by service providers and enterprises.
Chapter 5, “Reacting to Security Incidents.” This chapter covers several techniques that •
you can use when reacting to security incidents. It is extremely important for organizations to have adequate incident handling policies and procedures in place. This chapter shows you several tips on how to make sure that your policies and procedures are adequate to successfully respond to security incidents. You will also learn general information about different laws and practices to use when investigating security incidents and computer crimes. In addition, this
chapter includes details about different tools you can use to mitigate attacks and other security incidents with your network infrastructure components including several basic computer forensics topics.
Chapter 6, “Postmortem and Improvement.” It is highly recommended that you complete a •
postmortem after responding to security incidents. This postmortem should identify the strengths and weaknesses of the incident response effort. With this analysis, you can identify weaknesses in systems, infrastructure defenses, or policies that allowed the incident to take place. In addition, a postmortem helps you identify problems with communication channels, interfaces, and procedures that hampered the efficient resolution of the reported problem. This chapter covers several tips on creating postmortems and executing post-incident tasks. It includes guidelines for collecting post-incident data, documenting lessons learned during the incident, and building action plans to close gaps that are identified.
Chapter 7, “Proactive Security Framework.” This chapter covers the Security • Assessment, Validation, and Execution (SAVE) framework. SAVE, formerly known as
the Cisco Operational Process Model (COPM), is a framework initially developed for service providers, but its practices are applied to enterprises and organizations. This chapter provides examples of techniques and practices that can allow you to gain and maintain visibility and control over the network during normal operations or during the course of a security incident or an anomaly in the network.
xxiii
Part III, “Defense-In-Depth Applied,” includes: Chapter 8, “Wireless Security.” When designing and deploying wireless networks, it is •
important to consider the unique security challenges that can be inherited. This chapter includes best practices to use when deploying wireless networks. You will learn different types of authentication mechanisms, including 802.1x, which is used to enhance the security of wireless networks. In addition, this chapter includes an overview of the Lightweight Access Point Protocol (LWAPP), Cisco Location Services, Management Frame Protection (MFP), and other wireless features to consider when designing security within your wireless infrastructure. The chapter concludes with step-by-step configuration examples of the integration of IPS and the Cisco NAC Appliance on the Cisco Unified Wireless Network solution.
Chapter 9, “IP Telephony Security.” IP Telephony solutions are being deployed at a fast •
rate in many organizations. The cost savings introduced with Voice over IP (VoIP) solutions are significant. On the other hand, these benefits can be heavily impacted if you do not have the appropriate security mechanisms in place. In this chapter, you will learn several techniques used to increase the security of IP Telephony networks. This chapter covers how to secure different IP telephony components such as the Cisco Unified CallManager, Cisco Unified CME, Cisco Unity, Cisco Unity Express, and Cisco Unified Personal Assistant. In addition, it covers several ways to protect against voice eavesdropping attacks.
Chapter 10, “Data Center Security.” In this chapter, you will learn the security strategies, •
technologies, and products designed to protect against attacks on your data center from both inside and outside the enterprise. Integrated security technologies, including secure connectivity, threat defense, and trust and identity management systems, create a Defense-in-Depth strategy to protect each application and server environment across the consolidated IP, storage, and interconnect data center networking infrastructure. Configuration examples of different solutions such as the Firewall Services Module (FWSM), the Intrusion Detection/Prevention System Module (IDSM), and the Application Control Engine (ACE) module for the Catalyst 6500 series switches are covered in detail. This chapter also covers the use of Layer 2 to Layer 7 security features in infrastructure components to successfully identify, classify, and mitigate security threats within the data center.
Chapter 11, “IPv6 Security.” This chapter covers an introduction to security topics in • Internet Protocol Version 6 (IPv6) implementations. Although it is assumed that you already
have a rudimentary understanding of IPv6, this chapter covers basic IPv6 topics. This chapter details the most common IPv6 security threats and the best practices that many organizations adopt to protect their IPv6 infrastructure. IPsec in IPv6 is also covered, with guidelines on how to configure Cisco IOS routers to terminate IPsec in IPv6 networks.
Part IV, “Case Studies,” includes: Chapter 12, “Case Studies.” This chapter covers several case studies representing •
small, medium-sized, and large-scale enterprises. Detailed example configurations and implementation strategies of best practices learned in earlier chapters are covered to enhance learning.
Chapter 1 Overview of Network Security Technologies
This chapter covers the following topics:
- Firewalls
- Virtual Private Networks (VPN)
- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
- Anomaly Detection Systems
- Authentication, Authorization, and Accounting (AAA) and Identity Management
- Network Admission Control
- Routing Mechanisms as Security Tools
Technology can be considered your best friend. Nowadays, you can do almost everything over networked systems or the Internet—from simple tasks, such as booking a flight reservation, to a multibillion dollar wire transfer between two large financial organizations. You cannot take security for granted! An attacker can steal credit card information from your online travel reservation or launch a denial of service (DoS) attack to disrupt a wire transfer. It is extremely important to learn new techniques and methodologies to combat electronic penetrations, data thefts, and cyberattacks on critical information systems.
Organizations and individuals must educate themselves to be able to select the appropriate security technologies, tools, and methodologies to prevent and mitigate any security threats before they impact the business. This chapter describes the most common and widely used security products and technologies. These products and technologies include the following:
- Firewalls
- Virtual private networks (VPN)
- Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
- Anomaly detection systems
- Authentication, authorization, and accounting (AAA) and identity management
- Network admission control
NOTE This chapter introduces a range of security technologies and products. Becoming familiar
with these topics will help you understand the methodologies and solutions presented in the rest of this book.
If you are a network administrator, security engineer, manager, or simply an end user, you have probably heard of, used, or configured a firewall. Historically, firewalls have been used as barriers to keep intruders and destructive forces away from your network. Today,
6
Chapter 1: Overview of Network Security Technologies
firewalls and security appliances have many robust and sophisticated features beyond the traditional access control rules and policies. As you read through this section, you will learn more about the different types of firewalls and how they work, the threats they can protect you from, and their limitations.
TIP A detailed understanding of how firewalls and their related technologies work is extremely
important for all network security professionals. This knowledge will help them to configure and manage the security of their networks accurately and effectively.
Several network firewall solutions offer user and application policy enforcement that provides multivector attack protection for different types of security threats. They often provide logging capabilities that allow the security administrators to identify, investigate, validate, and mitigate such threats. In addition, several software applications can run on a system to protect only that host. These types of applications are known as personal firewalls. This section includes an overview of both network and personal firewalls and their related technologies.
Network Firewalls
Network firewalls come in many flavors and colors. They range from simple packet filters to sophisticated solutions that include stateful and deep-packet inspection features. For example, you can configure simple access control lists (ACL) on a router to prevent an attacker from accessing corporate resources. Figure 1-1 illustrates how to configure a router to block access from unauthorized hosts and users on the Internet.
Basic Packet Filter—Router with Basic ACLs Figure 1-1
Corporate Network
IOS Router Internet Attacker
In Figure 1-1, the router is configured to deny all incoming traffic from Internet hosts to its protected network (the corporate network). In this example, an attacker tries to scan the protected network from the Internet, and the router drops all traffic.
Firewalls 7
NOTE The use and configuration of different types of ACLs is covered in Chapter 2, “Preparation
Phase.” The purpose of packet filters is to control access to specific network segments by defining which traffic can pass through to them. Packet filters usually inspect incoming traffic at the transport layer of the Open Systems Interconnection (OSI) model. For example, packet filters can analyze TCP or UDP packets and judge them against a set of predetermined rules called ACLs. They inspect the following elements within a packet:
- Source address
- Destination address
- Source port
- Destination port
- Protocol Basic packet filters commonly do not inspect additional Layer 3 and Layer 4 fields such as sequence numbers, TCP control flags, and TCP acknowledgement (ACK) fields.
NOTE The previous example illustrates a router configured with only a basic ACL. The Cisco IOS
firewall solution provides enterprises and small/medium businesses sophisticated features beyond the traditional packet filters.
Network Address Translation (NAT)
Firewalls can also provide Network Address Translation (NAT) services. They can translate the IP addresses of protected hosts to a publicly routable address.
NOTE Firewalls often use NAT; however, other devices such as routers and wireless access points
provide support for NAT.Figure 1-2 shows how a firewall translates the IP address of an internal host (192.168.1.100) to a public IP address (209.165.200.225) when the host attempts to access Cisco.com.
8
Chapter 1: Overview of Network Security Technologies
Basic NAT Figure 1-2
Firewall Internet cisco.com
192.168.1.100 209.165.200.225 Private Address Translated Address
NAT enables organizations to use any IP address space as the internal network. A best practice is to use the address spaces that are reserved for private use (see RFC 1918, “Address Allocation for Private Internets”). Table 1-1 lists the private address ranges specified in RFC 1918.
Table 1-1 Private Address Ranges Specified in RFC 1918
IP Address Range Network Mask 10.0.0.0 to 10.255.255.255 10.0.0.0/8 172.16.0.0 to 172.31.255.255 172.16.0.0/12 192.168.0.0 to 192.168.255.255 192.168.0.0/16
NAT techniques come in various types. The most common are Port Address Translation (PAT) and Static NAT. PAT allows many devices on a network segment to be translated to one IP address by inspecting the Layer 4 information on the packet. Figure 1-3 illustrates how three different machines on the corporate network are translated to a single public address.
In Figure 1-3, the host with IP address 192.168.1.100 attempts to access the web server with
IP address 209.165.200.230. The firewall translates the internal address to 209.165.200.226 using the source TCP port 1024 and mapping it to TCP port 1234. Notice that the destination port remains the same (port 80) .
Firewalls 9 PAT
Figure 1-3 Source Address: 192.168.1.100 Source Address: 209.165.200.226 Destination Address: 209.165.200.230 Destination Address: 209.165.200.230 Source Port: 1024 Source Port: 1234 Destination Port: 80 Destination Port: 80
(PAT) Internet 192.168.1.0/24 209.165.200.230
Firewall Stateful Firewalls
Stateful inspection firewalls track every connection passing through their interfaces by examining not only the packet header contents but also the application layer information within the payload. This is done to find out more about the transaction than just the source and destination addresses and ports. Typically, a stateful firewall monitors the state of the connection and maintains a table with the Layer 3 and Layer 4 information. More sophisticated firewalls perform upper-layer protocol analysis, also known as deep-packet
inspection , which is discussed later in this chapter. The state of the connection details
whether such connection has been established, closed, reset, or is being negotiated. These mechanisms offer protection for different types of network attacks. Cisco IOS firewall, Cisco Adaptive Security Appliances (ASA), Cisco PIX firewalls, and the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 series switches are examples of stateful firewalls. They also have other rich features such as deep packet inspection.
10
Chapter 1: Overview of Network Security Technologies
NOTE For detailed deployment, configuration, and troubleshooting information, see the
Cisco Press book titled Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance .
Deep Packet Inspection
Several applications require special handling of data packets when they pass through firewalls. These include applications and protocols that embed IP addressing information in the data payload of the packet or open secondary channels on dynamically assigned ports. Sophisticated firewalls and security appliances such as the Cisco ASA, Cisco PIX firewall, and Cisco IOS firewall offer application inspection mechanisms to handle the embedded addressing information to allow the previously mentioned applications and protocols to work. Using application inspection, these security appliances can identify the dynamic port assignments and allow data exchange on these ports during a specific connection. With deep packet inspection, firewalls can look at specific Layer 7 payloads to protect against security threats. For example, you can configure a Cisco ASA or a Cisco PIX firewall running version 7.0 or later to not allow peer-to-peer (P2P) applications to be transferred over HTTP tunnels. You can also configure these devices to deny specific FTP commands, HTTP content types, and other application protocols.
NOTE The Cisco ASA and Cisco PIX firewall running version 7.0 or later provide a Modular
Policy Framework (MPF) that allows a consistent and flexible way to configure application inspection and other features in a manner similar to the Cisco IOS Software Modular quality of service (QoS) command-line interface (CLI).
Demilitarized Zones
Numerous firewalls can configure network segments (or zones), usually called
demilitarized zones (DMZ). These zones provide security to the systems that reside
within them with different security levels and policies between them. DMZs have a couple of purposes: as segments on which a web server farm resides or as extranet connections to a business partner. Figure 1-4 shows a firewall (a Cisco ASA in this case) with two DMZs.
Firewalls 11 DMZ Example
Figure 1-4
Web Server Farm
InternalNetwork DMZ 1
Cisco ASA
Internet DMZ 2Extranet Connection to a Business Partner
Partner Network
In Figure 1-4, DMZ 1 hosts web servers that are accessible by internal and Internet hosts.The Cisco ASA controls access from an extranet business partner connection on DMZ 2.
NOTE In large organizations, you can deploy multiple firewalls in different segments and DMZs.
Personal Firewalls
Personal firewalls are popular software applications that you can install on end-user machines or servers to protect them from external security threats and intrusions. The term
personal firewall typically applies to basic software that can control Layer 3 and Layer 4
access to client machines. Today, sophisticated software is available that not only provides basic personal firewall features but also protects the system based on the behavior of the applications installed on such systems. An example of this type of software is the Cisco Security Agent (CSA). CSA provides several features that offer more robust security than a traditional personal firewall. The following are CSA-rich security features:
- Host intrusion prevention
- Protection against spyware
- Protection against buffer overflow attacks
12
Chapter 1: Overview of Network Security Technologies
- Distributed host firewall features
- Malicious mobile code protection
- Operating system integrity assurance
- Application inventory
- Extensive audit and logging capabilities
NOTE Host intrusion prevention systems (HIPS) are detailed and described later in this chapter.
Organizations of all sizes deploy VPNs to provide data integrity, authentication, and data encryption to assure confidentiality of the packets sent over an unprotected network or the Internet. VPNs are designed to avoid the cost of unnecessary leased lines. Many different protocols are used for VPN implementations, including these:
- Point-to-Point Tunneling Protocol (PPTP)
- Layer 2 Forwarding (L2F) Protocol
- Layer 2 Tunneling Protocol (L2TP)
- Generic Routing Encapsulation (GRE) Protocol
- Multiprotocol Label Switching (MPLS) VPN
- Internet Protocol Security (IPsec)
- Secure Socket Layer (SSL)
NOTE PPTP, L2F, L2TP, GRE, and MPLS VPNs do not provide data integrity, authentication, and
data encryption. On the other hand, you can combine L2TP, GRE, and MPLS with IPsec to provide these benefits. Many organizations use IPsec as their preferred protocol because it supports all three features described earlier (data integrity, authentication, and data encryption).
VPN implementations can be categorized into two distinct groups:
- Site-to-site VPNs: Allow organizations to establish VPN tunnels between two or more sites so that they can communicate over a shared medium such as the Internet.
Many organizations use IPsec, GRE, and MPLS VPN as site-to-site VPN protocols.
Virtual Private Networks (VPN) 13
- Remote-access VPNs: Allow users to work from remote locations such as their